Personal Sleep Coach

Security checks across malware telemetry and agentic risk

Overview

This is a simple sleep-coaching skill that keeps a local sleep log, which matches its stated purpose but may store personal sleep details over time.

Install only if you are comfortable keeping a local sleep journal in `knowledge/personal/sleep.md`. Avoid putting sensitive secrets or agent instructions in the notes field, and periodically review, edit, or delete the file if you do not want older sleep history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to persist personal sleep data to a file whenever the user shares sleep details, but it does not require explicit user consent or disclose that the information will be stored. This creates a privacy risk because sensitive behavioral and health-adjacent data may be retained unexpectedly and accumulate over time.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The file repeatedly directs use of persistent memory for sleep logs without any privacy notice, retention limit, or consent check. Because sleep schedules, quality, and patterns can reveal intimate lifestyle and health information, silent persistence increases the risk of unauthorized retention and secondary misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal